1 #!/sbin/sh
2 #
3 # CDDL HEADER START
4 #
5 # The contents of this file are subject to the terms of the
6 # Common Development and Distribution License (the "License").
7 # You may not use this file except in compliance with the License.
8 #
9 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10 # or http://www.opensolaris.org/os/licensing.
11 # See the License for the specific language governing permissions
12 # and limitations under the License.
13 #
14 # When distributing Covered Code, include this CDDL HEADER in each
15 # file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16 # If applicable, add the following below this CDDL HEADER, with the
17 # fields enclosed by brackets "[]" replaced with your own identifying
18 # information: Portions Copyright [yyyy] [name of copyright owner]
19 #
20 # CDDL HEADER END
21 #
22
23 #
24 # Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
25 # Copyright 2015 Nexenta Systems, Inc. All rights reserved.
26 # Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org>
27 #
28
29 # Start/stop processes required for server NFS
30
31 . /lib/svc/share/smf_include.sh
32 . /lib/svc/share/ipf_include.sh
33 zone=`smf_zonename`
34
35 #
36 # Handling a corner case here. If we were in offline state due to an
37 # unsatisfied dependency, the ipf_method process wouldn't have generated
38 # the ipfilter configuration. When we transition to online because the
39 # dependency is satisfied, the start method will have to generate the
40 # ipfilter configuration. To avoid all possible deadlock scenarios,
41 # we restart ipfilter which will regenerate the ipfilter configuration
42 # for the entire system.
43 #
44 # The ipf_method process signals that it didn't generate ipf rules by
45 # removing the service's ipf file. Thus we only restart network/ipfilter
46 # when the file is missing.
47 #
48 configure_ipfilter()
49 {
50 ipfile=`fmri_to_file $SMF_FMRI $IPF_SUFFIX`
51 ip6file=`fmri_to_file $SMF_FMRI $IPF6_SUFFIX`
52 [ -f "$ipfile" -a -f "$ip6file" ] && return 0
53
54 #
55 # Nothing to do if:
56 # - ipfilter isn't online
57 # - global policy is 'custom'
58 # - service's policy is 'use_global'
59 #
60 service_check_state $IPF_FMRI $SMF_ONLINE || return 0
61 [ "`get_global_def_policy`" = "custom" ] && return 0
62 [ "`get_policy $SMF_FMRI`" = "use_global" ] && return 0
63
64 svcadm restart $IPF_FMRI
65 }
66
67 case "$1" in
68 'start')
69 # The NFS server is not supported in a local zone
70 if smf_is_nonglobalzone; then
71 /usr/sbin/svcadm disable -t svc:/network/nfs/server
72 echo "The NFS server is not supported in a local zone"
73 sleep 5 &
74 exit $SMF_EXIT_OK
75 fi
76
77 # Share all file systems enabled for sharing. sharemgr understands
78 # regular shares and ZFS shares and will handle both. Technically,
79 # the shares would have been started long before getting here since
80 # nfsd has a dependency on them.
81
82 # restart stopped shares from the repository
83 /usr/sbin/sharemgr start -P nfs -a
84
85 # Options for nfsd are now set in SMF
86
87 /usr/lib/nfs/mountd
88 rc=$?
89 if [ $rc != 0 ]; then
90 /usr/sbin/svcadm mark -t maintenance svc:/network/nfs/server
91 echo "$0: mountd failed with $rc"
92 sleep 5 &
93 exit $SMF_EXIT_ERR_FATAL
94 fi
95
96 /usr/lib/nfs/nfsd
97 rc=$?
98 if [ $rc != 0 ]; then
99 /usr/sbin/svcadm mark -t maintenance svc:/network/nfs/server
100 echo "$0: nfsd failed with $rc"
101 sleep 5 &
102 exit $SMF_EXIT_ERR_FATAL
103 fi
104
105 configure_ipfilter
106 ;;
107
108 'refresh')
109 /usr/sbin/sharemgr start -P nfs -a
110 ;;
111
112 'stop')
113 /usr/bin/pkill -x -u 0,1 -z $zone '(nfsd|mountd)'
114
115 # Unshare all shared file systems using NFS
116
117 /usr/sbin/sharemgr stop -P nfs -a
118
119 # Kill any processes left in service contract
120 smf_kill_contract $2 TERM 1
121 [ $? -ne 0 ] && exit 1
122 ;;
123
124 'ipfilter')
125 #
126 # NFS related services are RPC. nfs/server has nfsd which has
127 # well-defined port number but mountd is an RPC daemon.
128 #
129 # Essentially, we generate rules for the following "services"
130 # - nfs/server which has nfsd and mountd
131 # - nfs/rquota
132 #
133 # The following services are enabled for both nfs client and
134 # server, if nfs/client is enabled we'll treat them as client
135 # services and simply allow incoming traffic.
136 # - nfs/status
137 # - nfs/nlockmgr
138 # - nfs/cbd
139 #
140 NFS_FMRI="svc:/network/nfs/server:default"
141 NFSCLI_FMRI="svc:/network/nfs/client:default"
142 RQUOTA_FMRI="svc:/network/nfs/rquota:default"
143 FMRI=$2
144
145 file=`fmri_to_file $FMRI $IPF_SUFFIX`
146 file6=`fmri_to_file $FMRI $IPF6_SUFFIX`
147 echo "# $FMRI" >$file
148 echo "# $FMRI" >$file6
149 policy=`get_policy $NFS_FMRI`
150
151 #
152 # nfs/server configuration is processed in the start method.
153 #
154 if [ "$FMRI" = "$NFS_FMRI" ]; then
155 service_check_state $FMRI $SMF_ONLINE
156 if [ $? -ne 0 ]; then
157 rm $file
158 exit $SMF_EXIT_OK
159 fi
160
161 nfs_name=`svcprop -p $FW_CONTEXT_PG/name $FMRI 2>/dev/null`
162 tport=`$SERVINFO -p -t -s $nfs_name 2>/dev/null`
163 if [ -n "$tport" ]; then
164 generate_rules $FMRI $policy "tcp" $tport $file
165 fi
166
167 tport6=`$SERVINFO -p -t6 -s $nfs_name 2>/dev/null`
168 if [ -n "$tport6" ]; then
169 generate_rules $FMRI $policy "tcp" $tport6 $file6 _6
170 fi
171
172 uport=`$SERVINFO -p -u -s $nfs_name 2>/dev/null`
173 if [ -n "$uport" ]; then
174 generate_rules $FMRI $policy "udp" $uport $file
175 fi
176
177 uport6=`$SERVINFO -p -u6 -s $nfs_name 2>/dev/null`
178 if [ -n "$uport6" ]; then
179 generate_rules $FMRI $policy "udp" $uport6 $file6 _6
180 fi
181
182 # mountd IPv6 ports are also reachable through IPv4, so include
183 # them when generating IPv4 rules.
184 tports=`$SERVINFO -R -p -t -s "mountd" 2>/dev/null`
185 tports6=`$SERVINFO -R -p -t6 -s "mountd" 2>/dev/null`
186 if [ -n "$tports" -o -n "$tports6" ]; then
187 tports=`unique_ports $tports $tports6`
188 for tport in $tports; do
189 generate_rules $FMRI $policy "tcp" \
190 $tport $file
191 done
192 fi
193
194 if [ -n "$tports6" ]; then
195 for tport6 in $tports6; do
196 generate_rules $FMRI $policy "tcp" \
197 $tport6 $file6 _6
198 done
199 fi
200
201 uports=`$SERVINFO -R -p -u -s "mountd" 2>/dev/null`
202 uports6=`$SERVINFO -R -p -u6 -s "mountd" 2>/dev/null`
203 if [ -n "$uports" -o -n "$uports6" ]; then
204 uports=`unique_ports $uports $uports6`
205 for uport in $uports; do
206 generate_rules $FMRI $policy "udp" \
207 $uport $file
208 done
209 fi
210
211 if [ -n "$uports6" ]; then
212 for uport6 in $uports6; do
213 generate_rules $FMRI $policy "udp" \
214 $uport6 $file6 _6
215 done
216 fi
217
218 elif [ "$FMRI" = "$RQUOTA_FMRI" ]; then
219 iana_name=`svcprop -p inetd/name $FMRI`
220
221 # rquota IPv6 ports are also reachable through IPv4, so include
222 # them when generating IPv4 rules.
223 tports=`$SERVINFO -R -p -t -s $iana_name 2>/dev/null`
224 tports6=`$SERVINFO -R -p -t6 -s $iana_name 2>/dev/null`
225 if [ -n "$tports" -o -n "$tports6" ]; then
226 tports=`unique_ports $tports $tports6`
227 for tport in $tports; do
228 generate_rules $NFS_FMRI $policy "tcp" \
229 $tport $file
230 done
231 fi
232
233 if [ -n "$tports6" ]; then
234 for tport6 in $tports6; do
235 generate_rules $NFS_FMRI $policy "tcp" \
236 $tport6 $file6 _6
237 done
238 fi
239
240 uports=`$SERVINFO -R -p -u -s $iana_name 2>/dev/null`
241 uports6=`$SERVINFO -R -p -u6 -s $iana_name 2>/dev/null`
242 if [ -n "$uports" -o -n "$uports6" ]; then
243 uports=`unique_ports $uports $uports6`
244 for uport in $uports; do
245 generate_rules $NFS_FMRI $policy "udp" \
246 $uport $file
247 done
248 fi
249
250 if [ -n "$uports6" ]; then
251 for uport6 in $uports6; do
252 generate_rules $NFS_FMRI $policy "udp" \
253 $uport6 $file6 _6
254 done
255 fi
256 else
257 #
258 # Handle the client services here
259 #
260 if service_check_state $NFSCLI_FMRI $SMF_ONLINE; then
261 policy=none
262 ip=any
263 fi
264
265 restarter=`svcprop -p general/restarter $FMRI 2>/dev/null`
266 if [ "$restarter" = "$INETDFMRI" ]; then
267 iana_name=`svcprop -p inetd/name $FMRI`
268 isrpc=`svcprop -p inetd/isrpc $FMRI`
269 else
270 iana_name=`svcprop -p $FW_CONTEXT_PG/name $FMRI`
271 isrpc=`svcprop -p $FW_CONTEXT_PG/isrpc $FMRI`
272 fi
273
274 if [ "$isrpc" = "true" ]; then
275 tports=`$SERVINFO -R -p -t -s $iana_name 2>/dev/null`
276 tports6=`$SERVINFO -R -p -t6 -s $iana_name 2>/dev/null`
277 uports=`$SERVINFO -R -p -u -s $iana_name 2>/dev/null`
278 uports6=`$SERVINFO -R -p -u6 -s $iana_name 2>/dev/null`
279 else
280 tports=`$SERVINFO -p -t -s $iana_name 2>/dev/null`
281 tports6=`$SERVINFO -p -t6 -s $iana_name 2>/dev/null`
282 uports=`$SERVINFO -p -u -s $iana_name 2>/dev/null`
283 uports6=`$SERVINFO -p -u6 -s $iana_name 2>/dev/null`
284 fi
285
286 # IPv6 ports are also reachable through IPv4, so include
287 # them when generating IPv4 rules.
288 if [ -n "$tports" -o -n "$tports6" ]; then
289 tports=`unique_ports $tports $tports6`
290 for tport in $tports; do
291 generate_rules $FMRI $policy "tcp" $tport $file
292 done
293 fi
294
295 if [ -n "$tports6" ]; then
296 for tport6 in $tports6; do
297 generate_rules $FMRI $policy "tcp" $tport6 $file6 _6
298 done
299 fi
300
301 if [ -n "$uports" -o -n "$uports6" ]; then
302 uports=`unique_ports $uports $uports6`
303 for uport in $uports; do
304 generate_rules $FMRI $policy "udp" $uport $file
305 done
306 fi
307
308 if [ -n "$uports6" ]; then
309 for uport6 in $uports6; do
310 generate_rules $FMRI $policy "udp" $uport6 $file6 _6
311 done
312 fi
313 fi
314
315 ;;
316
317 *)
318 echo "Usage: $0 { start | stop | refresh }"
319 exit 1
320 ;;
321 esac
322 exit $SMF_EXIT_OK